An Objective Analysis of the Lockdown Protection System for Battle.net

12/2007

Skywing
skywing@valhallalegends.com

Abstract:

Near the end of 2006, Blizzard deployed the first major update to the version
check and client software authentication system used to verify the authenticity
of clients connecting to Battle.net using the binary game client protocol. This
system had been in use since just after the release of the original Diablo
game and the public launch of Battle.net. The new authentication module
(Lockdown) introduced a variety of mechanisms designed to raise the bar with
respect to spoofing a game client when logging on to Battle.net. In addition,
the new authentication module also introduced run-time integrity checks of
client binaries in memory. This is meant to provide simple detection of many
client modifications (often labeled "hacks") that patch game code in-memory in
order to modify game behavior. The Lockdown authentication module also
introduced some anti-debugging techniques that are designed to make it more
difficult to reverse engineer the module. In addition, several checks that
are designed to make it difficult to simply load and run the Blizzard
Lockdown module from the context of an unauthorized, non-Blizzard-game
process. After all, if an attacker can simply load and run the Lockdown
module in his or her own process, it becomes trivially easy to spoof the game
client logon process, or to allow a modified game client to log on to
Battle.net successfully. However, like any protection mechanism, the new
Lockdown module is not without its flaws, some of which are discussed in
detail in this paper.